Security researchers have spotted a new malware campaign in the wild that spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office. Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services. Active since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients. Zyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining. Different versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build). Once opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer. "In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded," the FireEye researchers said."The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode.""The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework."Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload. What is Dotless IP Address? If you are unaware, dotless IP addresses, sometimes referred as 'Decimal Address,' are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with "http://" following the decimal value. For example, Google's IP address 18.104.22.168 can also be represented as http://3627732942 in decimal values (Try this online converter). The best way to protect yourself and your organisation from such malware attacks are always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source. Most importantly, always keep your software and systems up-to-date, as threat actors incorporate recently discovered, but patched, vulnerabilities in popular software—Microsoft Office, in this case—to increase the potential for successful infections. Source Enjoy not being paranoid, while it last!